ITP and browser tracking prevention
Intelligent Tracking Prevention (ITP) in Safari/WebKit, and equivalent protections in other browsers, limit how long cookies set by scripts survive and restrict cross-site tracking. The result: returning visitors look new, attribution windows shorten, and cohort retention is understated. This page explains the mechanisms and their effect on analytics.
What ITP and similar features do
WebKit's Intelligent Tracking Prevention classifies domains and limits the lifetime of cookies and storage they set, especially client-side script-set cookies, which can be capped to a short window. It also partitions or blocks state that enables cross-site tracking. Other browsers ship related protections that restrict third-party cookies and bounce-tracking.
For analytics, the visible effect is that the identifier used to recognise a returning visitor often expires, so the next visit is counted as new.
- Script-set cookie lifetimes can be capped short
- Cross-site state is partitioned or blocked
- Returning visitors get recounted as new
What it distorts in reports
Returning-visitor and retention metrics are understated because the link between visits is broken. Attribution look-back windows that rely on a persistent identifier effectively shorten. Conversion paths spanning days may fragment. The fix is not to evade prevention but to lean on shorter-window, first-party, aggregate measurement that does not assume durable cross-visit identity.
How it appears in analytics and logs
A high share of 'new' visitors and short look-back attribution can reflect capped cookie lifetimes, not a genuinely first-time audience.
Diagnostic use case
Interpret inflated new-visitor counts and shortened attribution windows as artefacts of tracking prevention rather than real audience change.
What WebmasterID can help detect
WebmasterID's first-party, privacy-first model does not depend on long-lived cross-site identifiers, so it degrades gracefully under tracking prevention.
Common mistakes
- Reading inflated new-visitor counts as real audience growth.
- Expecting long attribution windows to hold under ITP.
- Trying to restore long-lived identifiers to defeat prevention.
Privacy and accuracy notes
Tracking prevention enforces the visitor's privacy by design. Analytics should adapt to it, not attempt to evade it; coarse, first-party measurement is the compatible path.
Related pages
- Ad blockers and analytics gaps
Content blockers and privacy extensions block requests to known analytics and tracking domains, so a share of visitors never fire the tag. The effect is a systematic undercount in client-side analytics that varies by audience and browser. This page explains how blocking works, why the gap is uneven, and how first-party server-side measurement reduces it.
- New vs returning misclassification
New-vs-returning depends on recognising the same visitor across visits, which relies on a stored identifier. When that identifier is missing — cleared cookies, tracking prevention, a different device or browser, or declined consent — a returning visitor is recorded as new. The result over-states 'new' visitors and understates loyalty. This page explains the failure modes.
- Do Not Track (DNT) and GPC
Do Not Track (DNT) was a browser-sent header asking sites not to track the user. It was never widely honoured and lacked legal force, so it largely faded. Global Privacy Control (GPC) is the spiritual successor: a signal that, under laws like the CCPA/CPRA, regulators have said must be treated as a valid opt-out. This is an educational overview, not legal advice.
- Privacy-first analytics
Measurement that does not rely on durable cross-site IDs.
Sources and verification notes
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.